Measured Insurance Partners with Canopius and Long-time Backer SCOR to Expand Critical Cyber Insurance Solutions

Site Notifications—A New Cyber Attack Entrypoint

Measured Staff
October 9, 2021
|Share this article:

Site notifications—often annoying but sometimes helpful—they seem harmless..

Typically installed to remind you of a discount or an update, they’re a great channel for brands, getting more information and eyes on ads or offers. But the flipside? Cyber criminals have identified site notifications as a great entrypoint to your device.

In this article we’ll dive into site notifications and what you need to know to keep your information safe.

What are site notifications?

Site notifications are sent to users as pop-up messages in their browser. These notifications are sent outside the page at the system level, as opposed to a pop-up that is displayed in the site window. On a Windows device, the messages appear in the bottom right corner as opposed to a Mac where they appear on the top right. Messages typically include the notification title, content from the entity, a URL, an icon or image, and the browser icon.

How are site notifications making you vulnerable to cyber threats?

Site notifications are a growing concern for cyber security. Like other social engineering techniques (email phishing, whaling, etc.), criminal actors impersonate real brands with site notifications in an attempt to trick victims into clicking the notification. Once the victim has clicked, malware is downloaded or the victim is directed to a fake website which then prompts a download of malware.

Many site notifications simply ask the user to allow or block a specific site or action. A quick view, mistaking the notification for a real brand, and a user can easily be tricked into clicking on the fake message. And because the site notifications are disguised, victims often don’t know their system or device has been compromised.

How to identify a fake site notification

It’s always best practice to review any digital message to ensure it’s from a trusted source, but there are a few key signs that can tip you off to a phishing scheme. If an ad appears in an unusual location on your browser or screen, or you see ads or programs installed on your device that you didn’t authorize, it’s time to investigate further. If you get pop-ups warning you about security risks or an infection in your computer stating you must install something to fix it, or messages that advertise fake updates to your software or operating system, these are clear indicators you’re a target.

How to disable site notifications

Enabling too many notifications also increases the risk that you could allow a malicious message. For many, disabling site notifications is a good baseline, assessing all future site notification requests.

For most browsers, the process to turn off site notifications is simple.

To turn off all notifications in Chrome:

Click the three dots button in the upper right corner of the Chrome menu to find Settings.

Click Privacy and Security > Site settings > Notifications.

The slider will be set to Ask before sending (recommended) by default. Switch to Block to block all notifications.

To turn off all notifications in Firefox:

Click the three horizontal bars in the upper right corner of the menu bar.

Click Options in settings, then on the left-hand side choose Privacy & Security > Permissions > Settings (behind Notifications).

In the menu that comes up, check the box that says “Block new requests asking to allow notifications.” You can also use the drop-down menu to choose Block or Allow on each specific site, if you would like to choose some to allow.

To turn off all notifications in Safari:

Open Safari and go to Safari > Preferences > Websites > Notifications in the left side of the box.

You will see all websites and you can choose to disable notifications from some sites, or check the box to deny all notifications.

To learn more about other phishing techniques and what you can do to prevent falling victim to social engineering, check out these blog posts:

The Definitive Guide to Phishing

what is spear phishing?

What is Whaling?

Phishing Examples